chore(oidc): add refresh token error integration test (#7766)

We are trying to reproduce a few 500 responses we observe on zitadel cloud's token endpoint. As in the past these were caused by wrongly encoded or encrypted refresh tokens, I created a integration test which tries to reproduce 500 errors by sending invalid refresh tokens. The added test does not reproduce 500s, all returned errors are in the 400 range as they should. However, as the test is already written, we might as well include them. Related to #7765 Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-12-04 23:45:07 +00:00 · 2024-04-17 11:38:03 +03:00 · 2024-04-17 11:38:03 +03:00 · dbb824a73f
commit dbb824a73f
parent 9ccbbe05bc
1 changed files with 76 additions and 0 deletions
--- a/internal/api/oidc/server_integration_test.go
+++ b/internal/api/oidc/server_integration_test.go
@ -0,0 +1,76 @@
+//go:build integration
+
+package oidc_test
+
+import (
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/zitadel/oidc/v3/pkg/client"
+	"github.com/zitadel/oidc/v3/pkg/client/rp"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/schema"
+)
+
+func TestServer_RefreshToken_Status(t *testing.T) {
+	clientID, _ := createClient(t)
+	provider, err := Tester.CreateRelyingParty(CTX, clientID, redirectURI)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name         string
+		refreshToken string
+	}{
+		{
+			name:         "invalid base64",
+			refreshToken: "~!~@#$%",
+		},
+		{
+			name:         "invalid after decrypt",
+			refreshToken: "DEADBEEFDEADBEEF",
+		},
+		{
+			name:         "short input",
+			refreshToken: "DEAD",
+		},
+		{
+			name:         "empty input",
+			refreshToken: "",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			request := rp.RefreshTokenRequest{
+				RefreshToken: tt.refreshToken,
+				ClientID:     clientID,
+				GrantType:    oidc.GrantTypeRefreshToken,
+			}
+			client.CallTokenEndpoint(CTX, request, tokenEndpointCaller{RelyingParty: provider})
+
+			values := make(url.Values)
+			err := schema.NewEncoder().Encode(request, values)
+			require.NoError(t, err)
+
+			resp, err := http.Post(provider.OAuthConfig().Endpoint.TokenURL, "application/x-www-form-urlencoded", strings.NewReader(values.Encode()))
+			require.NoError(t, err)
+			defer resp.Body.Close()
+			assert.Less(t, resp.StatusCode, 500)
+			body, err := io.ReadAll(resp.Body)
+			require.NoError(t, err)
+			t.Log(string(body))
+		})
+	}
+}
+
+type tokenEndpointCaller struct {
+	rp.RelyingParty
+}
+
+func (t tokenEndpointCaller) TokenEndpoint() string {
+	return t.OAuthConfig().Endpoint.TokenURL
+}